A crash course in security incident reporting

Related Links

Security incidents that federal agencies reported in 2003 reveal a sharply divided picture of information security across the federal government.

The incident numbers, which the Office of Management and Budget reported to Congress March 3, were so divergent that OMB officials say they will go back to the drawing board to help agencies understand incident reporting requirements.

"We do have a governmentwide definition" for a security incident, said an OMB official who spoke on condition of anonymity. "But what we're finding is interpretation differences, even between bureaus."

Despite a federal definition, the Department of Housing and Urban Development reported a single information security incident last year, while Department of Health and Human Services officials recorded 348.9 million incidents.

Without more information than the aggregate numbers, the OMB official said it is impossible to know which number, if any, is suspect. However, in their report to Congress, OMB officials expressed "a continuing concern regarding the timeliness and accuracy of incident reporting by agencies."

Agencies also poorly notified the Federal Computer Incident Response Center of security incidents. Although such reporting is mandatory, agencies reported only 506,291 incidents to FedCIRC last year, a year in which federal agencies, in some cases, said they had had millions of such incidents.

Partly because of the difficulty of getting good incident data, Homeland Security Department officials have created several interagency groups to work on the problem. Indeed, one option might be a technical one, in which FedCIRC would pull incident data automatically from agency systems, the OMB report said. Automating the incident reporting process would greatly increase the raw data available for analysis.

What is most significant, though, is the number of times an attacker gains access and takes control of a machine remotely. "For the most part, you have no clue," either about when or how often this actually is occurring, said Alan Paller director of research at the SANS Institute.